1. Overview

Some time ago, I was automating a few tasks with PowerShell and needed to set NTFS permissions on a folder. I was tempted to use the good old ICACLS.EXE command line, but I wanted to keep it all within PowerShell. While there are a number of different permissions you could want to set for a folder, my specific case called the following:

-          Create a new folder

-          Check the default permissions on the new folder

-          Turn off inheritance on that folder, removing existing inherited permissions from the parent folder

-          Grant “Full Control” permissions to Administrators, propagating via inheritance to files and subfolders

-          Grant “Read” permissions to Users, propagating via inheritance to files and subfolders

-          Review the permissions on the folder

2. The old ICACLS

In the old CMD.EXE world, you would use ICACLS.The commands would look like this:

-          MD F:\Folder

-          ICACLS F:\Folder

-          ICACLS F:\Folder /INHERITANCE:R

-          ICACLS F:\Folder /GRANT Administrators:(CI)(OI)F

-          ICACLS F:\Folder /GRANT Users: (CI)(OI)R

-          ICACLS F:\Folder

新建共享rollback,赋予 ddv\test01、Administrators用户完全控制权限

mkdir d:\rollback
net share rollback=d:\rollback /GRANT:ddv\test01,FULL /GRANT:administrators,FULL

cacls D:\ /T /E /C /G Users:F
cacls D:\ /T /E /C /P everyone:R

3. The PowerShell way

After some investigation, I found the PowerShell cmdlets to do the same things. You essentially rely on Get-Acl and Set-Acl to get, show and set permissions on a folder. Unfortunately, there are no cmdlets to help with the actual manipulation of the permissions. However, you can use a few .NET classes and methods to do the work. Here’s what I ended up with:

-          New-Item F:\Folder –Type Directory

-          Get-Acl F:\Folder | Format-List

-          $acl = Get-Acl F:\Folder

-          $acl.SetAccessRuleProtection($True, $False)

-          $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

-          $acl.AddAccessRule($rule)

-          $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")

-          $acl.AddAccessRule($rule)

-          Set-Acl F:\Folder $acl

-          Get-Acl F:\Folder  | Format-List

4. Looking at the output

To show how this works, here’s the output you should get from those commands. Be sure to use the option to “Run as Administrator” if you’re creating a folder outside your user’s folders. Note that I made a few changes from the cmdlets shown previously. I also included couple of calls to the GetAccessRules method to get extra details about the permissions.

PS F:\> New-Item F:\Folder -Type Directory

Directory: F:\

Mode                LastWriteTime     Length Name

----                -------------     ------ ----

d----         11/6/2010   8:10 PM            Folder

PS F:\> $acl = Get-Acl F:\Folder

PS F:\> $acl | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::F:\Folder

Owner  : BUILTIN\Administrators

Group  : NORTHAMERICA\Domain Users

Access : BUILTIN\Administrators Allow  FullControl

BUILTIN\Administrators Allow  268435456

NT AUTHORITY\SYSTEM Allow  FullControl

NT AUTHORITY\SYSTEM Allow  268435456

NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize

NT AUTHORITY\Authenticated Users Allow  -536805376

BUILTIN\Users Allow  ReadAndExecute, Synchronize

BUILTIN\Users Allow  -1610612736

Audit  :

Sddl   : O:BAG:S-1-5-21-124525095-708259637-1543119021-513D:(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID

;GA;;;SY)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)

PS F:\> $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : 268435456

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : NT AUTHORITY\SYSTEM

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : 268435456

AccessControlType : Allow

IdentityReference : NT AUTHORITY\SYSTEM

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : Modify, Synchronize

AccessControlType : Allow

IdentityReference : NT AUTHORITY\Authenticated Users

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : -536805376

AccessControlType : Allow

IdentityReference : NT AUTHORITY\Authenticated Users

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : ReadAndExecute, Synchronize

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : -1610612736

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

PS F:\> $acl.SetAccessRuleProtection($True, $False)

PS F:\> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

PS F:\> $acl.AddAccessRule($rule)

PS F:\> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")

PS F:\> $acl.AddAccessRule($rule)

PS F:\> Set-Acl F:\Folder $acl

PS F:\> Get-Acl F:\Folder  | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::F:\Folder

Owner  : BUILTIN\Administrators

Group  : NORTHAMERICA\Domain Users

Access : BUILTIN\Administrators Allow  FullControl

BUILTIN\Users Allow  Read, Synchronize

Audit  :

Sddl   : O:BAG:S-1-5-21-124525095-708259637-1543119021-513D:PAI(A;OICI;FA;;;BA)(A;OICI;FR;;;BU)

PS F:\> (Get-Acl F:\Folder).GetAccessRules($true, $true, [System.Security.Principal.NTAccount])

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : False

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : None

FileSystemRights  : Read, Synchronize

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : False

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : None

PS F:\>

5. Controlling parent folder inheritance

The script uses SetAccessRuleProtection, which is a method to control whether inheritance from the parent folder should be blocked ($True means no Inheritance) and if the previously inherited access rules should be preserved ($False means remove previously inherited permissions).

6. Building the access rules

To build a new access rule, the script also uses the New-Object cmdlet and specify the full name of the FileSystemAccessRule class. There are many constructors for this specific class of objects. I used one of the more complete ones, which takes 5 parameters:

-          Identity (name of the user or group)

-          Rights (including the common Read, Write, Modify and FullControl, among many others)

-          Inheritance Flags (including None, ContainerInherit or ObjectInheritance)

-          Propagation Flags (including None or InheritOnly, among others)

-          Type (Allow or Deny)

I am using the .NET classes in this part, and that’s why you have to use the full name of the class (like System.Security.AccessControl.FileSystemAccessRule) and the full name of the data types (like [System.Security.Accesscontrol.InheritanceFlags]).

7. Using variables

The script also uses a few variables (names starting with a $ sign). In order to change the permissions, for instance, I started by copying the existing ACL to a variable called $acl using the Get-Acl cmdlet. Next, I modified $acl in memory and finally I applied the $acl back to the folder using Set-Acl cmdlet. You could avoid using the $rule variable, but your code would get a bit more complex. For instance, I could change the script shown previously to use only the $acl variable:

-          $acl = Get-Acl F:\Folder

-          $acl.SetAccessRuleProtection($True, $False)

-          $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")))

-          $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")))

-          Set-Acl F:\Folder $acl

This does cut 2 lines from that section of the script. While I see of lot of fans of using a smaller number of command lines (even if they are longer command lines), I find the version that uses the additional $rule variable easier to understand.

8. Default permissions

You might have noticed that the initial attributes for the folder includes quite a few inherited permissions. Those are inherited from the parent folder F:\, and are the default permissions when you format an NTFS volume. Here are they in a nicely formatted table:

Identity

Type

Rights

BUILTIN\Administrators

Allow

FullControl

BUILTIN\Administrators

Allow

268435456

NT AUTHORITY\SYSTEM

Allow

FullControl

NT AUTHORITY\SYSTEM

Allow

268435456

BUILTIN\Users

Allow

ReadAndExecute, Synchronize

NT AUTHORITY\Authenticated Users

Allow

Modify, Synchronize

NT AUTHORITY\Authenticated Users

Allow

-536805376

Some of the rights are fully spelled out (like “Full Control”, “Modify”, “Read”, “Write”, “Synchronize” and “ReadAndExecute”). More complex combinations are shown as numbers. The infrastructure only translates the numeric code into text for the most common ones.

9. Setting the Owner

Another fairly common operation is setting a new owner for a folder. This is useful when provisioning a folder for a specific user and wanting to give the user the ownership of the folder itself. It’s also handy if a administrator has been locked out of a folder. If I am the administrator, I can set the owner to myself  and then grant myself permissions to access the folder. In CMD.EXE, you would use

-          ICACLS F:\Folder /SETOWNER Administrators

The PowerShell equivalent would be:

-          $acl = Get-Acl F:\Folder

-          $acl.SetOwner([System.Security.Principal.NTAccount] "Administrators")

-          Set-Acl F:\Folder $acl

10. It’s actually a Security Descriptor

The information returned by Get-Acl is actually better described as a “Security Descriptor”, not really an ACL (Access Control List). It contains a number of security-related information, including the Owner, the Group Owner, the Discretionary Access Control List (also known as DACL, which is where we added the two rules), the Audit Access Control List (also known as SACL). Technically, adding the two rules actually adds two ACEs (Access Control Entries) to the DACL (Discretionary Access Control List).

Also listed by Get-ACL is SDDL string. The SDDL a string that combines all the information returned by Get-Acl in a single string. It’s a bit hard to parse for humans, but it’s closer to the internal representation.

11. Looking at the other methods

There are a number of additional methods available to handle the Security Descriptor returned by Get-Acl. If you want to look into them, just pipe the output to Get-Member. See the example below:

PS F:\> Get-Acl F:\Folder | Get-Member

TypeName: System.Security.AccessControl.DirectorySecurity

Name                            MemberType     Definition

----                            ----------     ----------

Access                          CodeProperty   System.Security.AccessControl.AuthorizationRuleCollection Access{get=...

Group                           CodeProperty   System.String Group{get=GetGroup;}

Owner                           CodeProperty   System.String Owner{get=GetOwner;}

Path                            CodeProperty   System.String Path{get=GetPath;}

Sddl                            CodeProperty   System.String Sddl{get=GetSddl;}

AccessRuleFactory               Method         System.Security.AccessControl.AccessRule AccessRuleFactory(System.Sec...

AddAccessRule                   Method         System.Void AddAccessRule(System.Security.AccessControl.FileSystemAcc...

AddAuditRule                    Method         System.Void AddAuditRule(System.Security.AccessControl.FileSystemAudi...

AuditRuleFactory                Method         System.Security.AccessControl.AuditRule AuditRuleFactory(System.Secur...

Equals                          Method         bool Equals(System.Object obj)

GetAccessRules                  Method         System.Security.AccessControl.AuthorizationRuleCollection GetAccessRu...

GetAuditRules                   Method         System.Security.AccessControl.AuthorizationRuleCollection GetAuditRul...

GetGroup                        Method         System.Security.Principal.IdentityReference GetGroup(type targetType)

GetHashCode                     Method         int GetHashCode()

GetOwner                        Method         System.Security.Principal.IdentityReference GetOwner(type targetType)

GetSecurityDescriptorBinaryForm Method         byte[] GetSecurityDescriptorBinaryForm()

GetSecurityDescriptorSddlForm   Method         string GetSecurityDescriptorSddlForm(System.Security.AccessControl.Ac...

GetType                         Method         type GetType()

ModifyAccessRule                Method         bool ModifyAccessRule(System.Security.AccessControl.AccessControlModi...

ModifyAuditRule                 Method         bool ModifyAuditRule(System.Security.AccessControl.AccessControlModif...

PurgeAccessRules                Method         System.Void PurgeAccessRules(System.Security.Principal.IdentityRefere...

PurgeAuditRules                 Method         System.Void PurgeAuditRules(System.Security.Principal.IdentityReferen...

RemoveAccessRule                Method         bool RemoveAccessRule(System.Security.AccessControl.FileSystemAccessR...

RemoveAccessRuleAll             Method         System.Void RemoveAccessRuleAll(System.Security.AccessControl.FileSys...

RemoveAccessRuleSpecific        Method         System.Void RemoveAccessRuleSpecific(System.Security.AccessControl.Fi...

RemoveAuditRule                 Method         bool RemoveAuditRule(System.Security.AccessControl.FileSystemAuditRul...

RemoveAuditRuleAll              Method         System.Void RemoveAuditRuleAll(System.Security.AccessControl.FileSyst...

RemoveAuditRuleSpecific         Method         System.Void RemoveAuditRuleSpecific(System.Security.AccessControl.Fil...

ResetAccessRule                 Method         System.Void ResetAccessRule(System.Security.AccessControl.FileSystemA...

SetAccessRule                   Method         System.Void SetAccessRule(System.Security.AccessControl.FileSystemAcc...

SetAccessRuleProtection         Method         System.Void SetAccessRuleProtection(bool isProtected, bool preserveIn...

SetAuditRule                    Method         System.Void SetAuditRule(System.Security.AccessControl.FileSystemAudi...

SetAuditRuleProtection          Method         System.Void SetAuditRuleProtection(bool isProtected, bool preserveInh...

SetGroup                        Method         System.Void SetGroup(System.Security.Principal.IdentityReference iden...

SetOwner                        Method         System.Void SetOwner(System.Security.Principal.IdentityReference iden...

SetSecurityDescriptorBinaryForm Method         System.Void SetSecurityDescriptorBinaryForm(byte[] binaryForm), Syste...

SetSecurityDescriptorSddlForm   Method         System.Void SetSecurityDescriptorSddlForm(string sddlForm), System.Vo...

ToString                        Method         string ToString()

PSChildName                     NoteProperty   System.String PSChildName=test

PSDrive                         NoteProperty   System.Management.Automation.PSDriveInfo PSDrive=C

PSParentPath                    NoteProperty   System.String PSParentPath=Microsoft.PowerShell.Core\FileSystem::C:\

PSPath                          NoteProperty   System.String PSPath=Microsoft.PowerShell.Core\FileSystem::C:\test

PSProvider                      NoteProperty   System.Management.Automation.ProviderInfo PSProvider=Microsoft.PowerS...

AccessRightType                 Property       System.Type AccessRightType {get;}

AccessRuleType                  Property       System.Type AccessRuleType {get;}

AreAccessRulesCanonical         Property       System.Boolean AreAccessRulesCanonical {get;}

AreAccessRulesProtected         Property       System.Boolean AreAccessRulesProtected {get;}

AreAuditRulesCanonical          Property       System.Boolean AreAuditRulesCanonical {get;}

AreAuditRulesProtected          Property       System.Boolean AreAuditRulesProtected {get;}

AuditRuleType                   Property       System.Type AuditRuleType {get;}

AccessToString                  ScriptProperty System.Object AccessToString {get=$toString = "";...

AuditToString                   ScriptProperty System.Object AuditToString {get=$toString = "";...

To find the specific parameters for a given method, just filter the output and pipe it to Format-List. For instance, here are the details about the GetAccessRules method used in the script:

PS F:\> Get-Acl F:\Folder | Get-Member -MemberType Method "GetAccessRules" | Format-List

TypeName   : System.Security.AccessControl.DirectorySecurity

Name       : GetAccessRules

MemberType : Method

Definition : System.Security.AccessControl.AuthorizationRuleCollection GetAccessRules(bool includeExplicit, bool includ

eInherited, type targetType)

Here’s a short version, this time looking at the definition for the SetAccessRuleProtection method:

PS F:\> Get-Acl F:\Folder | Get-Member "SetAccessRuleProtection" | FL

TypeName   : System.Security.AccessControl.DirectorySecurity

Name       : SetAccessRuleProtection

MemberType : Method

Definition : System.Void SetAccessRuleProtection(bool isProtected, bool preserveInheritance)

12. Conclusion

I hope this helped you understand how to manipulate Security Descriptors and Access Control Lists using PowerShell. ACLs are used in several other places, like Registry entries, Active Directory objects and File Shares. I’m sure that adding these abilities to your PowerShell tool belt will eventually come in handy.

As usual, the MSDN site is a great reference. You can find all the details about the methods I used here by searching for the method name on MSDN. You can also look at an overview of the methods related to Security Descriptors (with lots of links) at: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.aspx.

Also be sure to check my other blog posts about PowerShell athttp://blogs.technet.com/b/josebda/archive/tags/powershell/.

FROM:http://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx

新建共享,NTFS权限设置的更多相关文章

  1. NTFS权限设置时卡死

    客户是一家技术咨询和零部件制造的小公司,使用的文件服务器为R410上插4块1T硬盘做raid 5,服务器操作系统为windows server 2008R2,所有的设计资料的授权都是结合域账户和NTF ...

  2. Linux下mysql新建账号及权限设置各种方式总结

    来自:http://justcoding.iteye.com/blog/1941116 1.权限赋予 说明:mysql部署在服务器A上,内网上主机B通过客户端工具连接服务器A以进行数据库操作,需要服务 ...

  3. Linux下mysql新建账号及权限设置

    http://www.cnblogs.com/eczhou/archive/2012/07/12/2588187.html 1.权限赋予 说明:mysql部署在服务器A上,内网上主机B通过客户端工具连 ...

  4. NTFS权限和共享权限的区别

    共享权限 共享权限有三种:完全控制.更改.读取 共持本地安全性.换句话说,他在同一台计算机上以不同用户名登录,对硬盘上同一文件夹可以有不同的访问权限. 注意:NTFS权限对从网络访问和本机登录的用户都 ...

  5. NTFS权限概述

    NTFS权限概述 NTFS是我常见的一种磁盘格式,在Windows系统中使用广泛,它打破了FAT的局限性.在我使用ntfs格式分区的时候经常会涉及到ntfs权限设置问题,来帮助我们对文件的处理.那么什 ...

  6. IIS中的上传目录权限设置问题

    虽然 Apache 的名声可能比 IIS 好,但我相信用 IIS 来做 Web 服务器的人一定也不少.说实话,我觉得 IIS 还是不错的,尤其是 Windows 2003 的 IIS 6(马上 Lon ...

  7. 多站点IIS用户安全权限设置

    如果我们为每个站点都建立一个用户,并设置该用户只有访问本站点的权限,那么就能将访问权限控制在每个站点文件夹内,旁注问题也就解决了 一.这样配置的好处? 不知大家有没有听过旁注?我简单的解释一下吧:有个 ...

  8. NTFS权限详解

    NTFS权限是作为一个Windows管理员必备的知识,许多经验丰富的管理员都能够很熟悉地对文件.文件夹.注册表项等进行安全性的权限设置,包括完全控制.修改.只读等.而谈论NTFS权限这个话题也算是老生 ...

  9. 利用NTFS权限与虚拟目录,在IIS 6.0的默认FTP站点中做用户隔离。

    默认FTP站点为不隔离用户站点,利用NTFS权限设置,达到仅能访问指定目录效果. 是否允许匿名连接 FTP站点主目录:站点范围内有没有用户需要上传,有的话,要勾选“写入”:具体用户使用NTFS还给予写 ...

随机推荐

  1. codeforces 392A Blocked Points

    我的方式是用暴力的方法找到每一行每一列的边界点: 但是有大神直接用一个公式解决了:floor(n*sqrt(2))*4: 想了很久还是不理解,求各路大神指点! #include<iostream ...

  2. Oracle---->基本DDL

    修改表名: rename table_name1 to table_name2; delete [from] persons where lastname= 'Wilson';

  3. Cannot generate SSPI context---MS SQL ERROR

    http://www.cnblogs.com/newr2006/archive/2011/08/25/2153253.html Additional error information from SQ ...

  4. android TabActivity的局限性 是否还有存在的必要性

     TabActivity的局限性 是否还有存在的必要性 其实谷歌有此举动,我们也应该早就想到了,为什么会这么说呢?那就要从TabActivity的原理开始说起了. 做个假定先: 比如我们最外面的Act ...

  5. jenkin系列_调度jmeter实现分布式测试

    假设现在有 192.168.1.100(jmeter 控制器 C ).192.168.1.101(jmeter负载机 B)两台机器进行分布式测试,各个步骤如下 1. C 和B 安装jmeter,并运行 ...

  6. [状压dp]POJ1185 炮兵阵地

    中文题 题意不再赘述 对于中间这个“P” 根据dp的无后效性 我们只需考虑前面的 就变成了 只需考虑: 也就是状压前两行 具体与HDOJ的4539类似: 看HDOJ 4539 仅仅是共存状态的判断不同 ...

  7. mac终端命令简介

    mac终端命令简介(适合刚刚入手mac的新人们) 1.取得root权限 意义相当与windows中的超级管理员权限,甚至还要超出.root权限可以修改系统中的任何文件,不过对普通用户的意义不大,了解即 ...

  8. SPRING IN ACTION 第4版笔记-第四章ASPECT-ORIENTED SPRING-010-Introduction为类增加新方法@DeclareParents、<aop:declare-parents>

    一. 1.Introduction的作用是给类动态的增加方法 When Spring discovers a bean annotated with @Aspect , it will automat ...

  9. 关于捕获键盘信息的processDialogkey方法

    在一些控件里的keydown方法,没有办法捕获所有的按键消息 比如自己写一个窗体控件库,继承了UserControl 但是没有办法捕获一些键,比如方向键等 所以必须重载 processDialogke ...

  10. 使用vs2010进行驱动开发的补充

    看到前面的一篇文章 ,在这里http://www.cnblogs.com/wubiyu/archive/2010/05/17/1737420.html vs2010配置驱动开发基本上按照如上所说就差不 ...